It's unclear when any announcement might occur, however, as the FTC is not open due to the government's partial shutdown.

On Monday, a Sydney-based Facebook official told Information Security Media Group that the company has no comment on the report.

The FTC's Facebook probe began in March 2018. But it's not the first time the social network has faced scrutiny from the regulator. Since 2011, in fact, Facebook has been bound by an agreement with the FTC stemming from previous privacy missteps, including sharing data without consent.

Cambridge Analytica, which is now defunct, was a U.K.-based political-consulting firm that briefly worked for President Donald Trump's campaign. It obtained as many as 87 million Facebook profiles from a Cambridge University lecturer in violation of Facebook's policies and without those users' consent (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).

The blowback over the Cambridge Analytica scandal was both fierce and global.

The U.K. was one of the first enforcers out of the gate. In October 2018, the U.K.'s Information Commissioner's Office levied its maximum possible fine of £500,000 ($645,000) against Facebook. Information Commissioner Elizabeth Denham said a higher fine would have been appropriate if the law had allowed for it, as the EU's General Data Protection now does (see: Facebook Slammed With Maximum UK Privacy Fine).

Improper Sharing?

Facebook's settlement with the FTC in November 2011 put it under a strict monitoring regime, including the provision that for the next 20 years, the social network must submit to third-party audits every two years.

One of the FTC's main aims was to ensure that Facebook obtains consent from users before sharing their data. At the time of the settlement, the FTC alleged that Facebook had misleading privacy controls, making it appear that users could isolate data sharing to "Friends Only."

But third-party apps could still collect data not only from direct users of those apps but also of those friends' friends. The practice should have ended in 2011, and that apparent failure is now one of the triggers for the agency's probe into the Cambridge Analytica debacle.

Around 2014, a Cambridge University researcher named Aleksandr Kogan created a Facebook app called This Is Your Digital Life, a kind of personality quiz. Only about 270,000 individuals directly used it. But when they did, the app grabbed the personal data of their friends, ultimately accessing details for 87 million Facebook users worldwide.

Kogan sold the data to Cambridge Analytica, which specialized in social media influence campaigns. The insight from that personal data would have helped to craft more effective messaging campaigns using Facebook's powerful advertising systems, which allow targeting based on location, age, email addresses and phone numbers, among other characteristics.

When Facebook learned of the Cambridge Analytica situation in early 2015, the company said it tightened the restrictions on what data apps could obtain. But the Wall Street Journal last June reported that despite those restrictions, Facebook still allowed certain partners to obtain personal data and bypass users' privacy settings (see: Facebook to Congress: We Shared More Data Than We Said).

Facebook said in response to the report that it would wind down those partnerships with companies including Spotify, Nissan, Netflix and Microsoft. It also admitted that it failed to deactivate certain APIs that allowed access to data when it retired a feature called "Instant Personalization" in 2014, which integrated Facebook features into other desktop applications.

Ongoing Probes

The Washington Post reports that FTC officials are considering a fine that exceeds the $22.5 million fine that Google agreed to in 2012. In that case, the FTC alleged that Google violated a 2011 agreement by misrepresenting to consumers how they could control their data.

The FTC alleged that Google circumvented a feature in Apple's Safari browser that blocked third-party cookies by default despite telling users they would be opted out of web tracking. Safari accepted temporary cookies, and Google placed a DoubleClick one within the browser's storage. Google then used that cookie to interact with other cookies used by DoubleClick network.

The U.S. lacks a federal data privacy law, although the FTC does have a consumer protection mandate. Accordingly, the agency can and does act on privacy matters if it suspects that companies may have deceived consumers. If the FTC concludes that an organization has violated consumer protection rules, it lacks the ability to fine the organization outright. Instead, it can negotiate a settlement with the organization, which may include the provision that any further violations will carry specific sanctions, including a fine.

Some U.S. states also have ongoing investigations related to Cambridge Analytica. In December 2018, the District of Columbia filed the first lawsuit at a regional level. Starting around March 2018, New York, Massachusetts, New Jersey, Connecticut and Pennsylvania also launched their own investigations (see: Facebook Sued in U.S. Over Cambridge Analytica).

The D.C. lawsuit alleges that Facebook's confusing and misleading privacy controls gave users false assurances that their data would not be shared. The district alleges Facebook violated the district's Consumer Protection Procedures Act, which gives consumers the right to truthful information about consumer goods and services.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.